Академический Документы
Профессиональный Документы
Культура Документы
Supervisor:
Raja M. Khurram Shahzad
School of Engineering
Blekinge Institute of Technology
371 79 Karlskrona, Sweden
Internet: www.bth.se/ing
Phone: +46 455 38 50 00
Fax: +46 455 38 50 57
Start by doing what's necessary, then what's possible; and suddenly you are doing the
impossible.
Saint Francis
ii
Abstract
The use of internet has increased over the past years. Many users may not have good intentions.
Some people use the internet to gain access to the unauthorized information. Although absolute
security of information is not possible for any network connected to the Internet however,
firewalls make an important contribution to the network security. A firewall is a barrier placed
between the network and the outside world to prevent the unwanted and potentially damaging
intrusion of the network.
This thesis compares the performance of Linux packet filtering firewalls, i.e. iptables and
shorewall. The firewall performance testing helps in selecting the right firewall as needed. In
addition, it highlights the strength and weakness of each firewall. Both firewalls were tested by
using the identical parameters.
The experimental results indicate that the performance of Iptables firewall decreases as compared
to shorewall in all the aspects taken into account. All the selected metrics show that large
numbers of filtering rules have a negative impact on the performance of both firewalls. However,
UDP throughput is not affected by the number of filtering rules. The experimental results also
indicate that traffic sent with different packet sizes do not affect the performance of firewalls.
Keywords:
Linux Iptables, Firewall performance, Comparison of Linux firewalls
iii
iv
Acknowledgements
In the name of Allah, the most Gracious, the most Compassionate
Foremost, I would like to express my sincere gratitude to supervisor Raja Muhammad Khurram
Shahzad for his continuous help, support, motivation and guidance during the project.
I am thankful to school of engineering at Blekinge Institute of Technology for allowing to use the
Network laboratory for the thesis.
I am grateful to my parents for their endless love and unconditional support during the studies
and life. Finally, I offer regards and blessings to all of those who supported me in the project in
any way.
Karlskrona 2012
Muhammad Zeeshan Ahmad
zeeshnets@msn.com
Table of Contents
1
INTRODUCTION .................................................................................................................. 1
1.1
1.2
BACKGROUND ..................................................................................................................... 4
2.1
2.4
2.5
2.6
METHODOLOGY ............................................................................................................... 11
3.1
Requirements .................................................................................................................................................... 11
3.2
3.3
vi
3.5
3.6
EXPERIMENT ..................................................................................................................... 22
4.1
4.2
RESULTS .............................................................................................................................. 31
5.1
Throughput ....................................................................................................................................................... 31
vii
5.2
Latency .............................................................................................................................................................. 34
5.3
5.4
5.5
5.6
Analysis .............................................................................................................................................................. 40
CONCLUSION ..................................................................................................................... 41
6.1
BIBLIOGRAPHY ................................................................................................................ 43
viii
List of figures
Figure 1.1.1: A Firewall General Model ......................................................................................... 1
Figure 1.3.1: Basic Firewalls function ........................................................................................... 4
Figure 2.1.1: The OSI and the TCP/IP models ................................................................................ 5
Figure 2.1.2: An IPv4 TCP header ................................................................................................... 6
Figure 2.1.3: An IPv4 UDP header .................................................................................................. 6
Figure 4.2.1: Iptables Installation ................................................................................................... 23
Figure 4.2.2: Shorewall Installation ............................................................................................... 23
Figure 4.3.1: Iptables Rules Configuration .................................................................................... 23
Figure 4.3.2: Shorewall Zones ....................................................................................................... 24
Figure 4.3.3: Shorewall Interfaces ................................................................................................. 24
Figure 4.3.4: Shorewall Policies..................................................................................................... 24
Figure 4.3.5: Shorewall Rules Configuration ................................................................................. 25
Figure 4.4.1: TCP Throughput Calculation .................................................................................... 25
Figure 4.4.2: UDP Throughput Calculation ................................................................................... 26
Figure 4.4.3: TCP Latency Calculation .......................................................................................... 26
Figure 4.4.4: UDP Latency Calculation ......................................................................................... 27
Figure 4.4.5: Connection Establishment rate Calculation .............................................................. 27
Figure 4.4.6: Connection Teardown rate Calculation .................................................................... 28
Figure 4.4.7: Iperf Traffic Generation ............................................................................................ 28
Figure 4.4.8: Nmap View ............................................................................................................... 29
Figure 4.4.9: HTTPing status ......................................................................................................... 29
Figure 4.4.10: CPU and Memory usage Calculation...................................................................... 30
Figure 5.1.1: Iptables TCP Throughput.......................................................................................... 31
Figure 5.1.2: Iptables UDP Throughput ......................................................................................... 32
Figure 5.1.3: Shorewall TCP Throughput ...................................................................................... 33
Figure 5.1.4: Shorewall UDP Throughput ..................................................................................... 34
Figure 5.2.1: Iptables TCP Latency (Request/Response)............................................................... 34
Figure 5.2.2: Iptables UDP Latency (Request/Response) .............................................................. 35
Figure 5.2.3: Shorewall TCP Latency (Request/Response) ........................................................... 36
ix
List of Tables
Table 3.6.1: Evaluation tools and their usage in the project .......................................................... 13
Table 3.7.1: Performance Metrics and their importance [26] ........................................................ 16
Table 3.7.2: Difference between bandwidth and throughput ......................................................... 18
Table 4.1.1: Computer Specifications ............................................................................................ 22
xi
List of Acronyms
CPU
GUI
HTTP
I/O
Input/output
ICMP
IP
Internet Protocol
LAN
MTU
NIC
OS
Operating System
OSI
PING
PPS
RFC
RTT
SSL
TCP
UDP
URL
xii
1 Introduction
The growth in computer systems and their interconnections via networks has increased the
dependency of both organizations and individuals on the information stored and communication
using these systems. This has led to the need to protect data and resources from unauthorized
disclosure, to guarantee the authenticity of data and to protect systems from attacks. The attacks
on networks are increasing and are becoming more and more complex. The ability to access and
transfer information in a few seconds allows the government, companies, educational institutions,
and individuals to accelerate the decision process. However, the information can be very valuable
and there is a need for better and faster security systems to protect information and networks. A
secure system is defined as1.
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in
a lead-lined room with armed guards - and even then I have my doubts.
Eugene H. Spafford
Absolute security is not possible for any network connected to the Internet. However, firewalls
make a critical contribution in the network security. A firewall is a part of a computer system or
network that is designed to block an unauthorized access while permitting the authorized
communication. It works as a barrier placed between the network and the outside world to
regulate the flow of traffic between the computer networks.
It acts as the first line of defense against intruders [1] hence; it is located at the entry point of the
network. Figure 1.1.1 presents the general model of a firewall.
1
2
http://spaf.cerias.purdue.edu/quotes.html
http://www.soporte21.com/que_es_un_firewall.php
Throughput
Latency
The benchmarking methodology does not give any information about the testing tools. Therefore,
several tools will be studied for this purpose.
1.2.2 Hypotheses
H0: There is no difference in both firewalls.
H1: Iptables is more efficient in terms of performance.
H2: Shorewall provides reliable performance.
2
The experimental results collected from all the mentioned performance metrics will help in
comparing hypothesis.
2 Background
The firewall provides an additional layer of defense, insulating the internal systems from external
networks. This follows the classic military doctrine of defense in depth, [3] which is just as
applicable to IT security. A firewall examines all the traffic routed between two or more networks
according to certain criteria, if criteria are met traffic is routed between the networks, otherwise it
is stopped 3. There are two access denial methodologies used by firewalls i.e. allow traffic or
restrict. A firewall may allow all traffic through unless it meets specified criteria, or it may deny
all the traffic unless it meets certain criteria. The type of criteria used to determine whether the
traffic is allowed through depends on configuration of firewall done by the user. It can also use
complex rule bases to analyze the application data to determine if the traffic should be allowed.
Figure 1.3.1 presents the functionality of a firewall.
http://www.vicomsoft.com/learning-center/firewalls/
Firewalls operate at different layers to use different criteria to restrict the traffic. In OSI model
this is the network layer, in the TCP / IP model it is the Internet protocol layer. This layer is
concerned with routing the packets to their destination. At this layer firewall determine whether a
packet is from a trusted source, but does not concern with what it contains or what are the other
packets associated with it. Some firewalls operate at the transport layer and know more about a
packet, which then results in grant or deny access depending on specified criteria.
2.1.1 Packet Inspection
A packet has an IP header followed by a TCP, UDP or ICMP headers [5]. TCP and UDP headers
are followed by application messages. Packet inspection focuses on the contents of IP, TCP and
UDP headers. An IPv4 TCP and UDP headers are shown below5.
4
5
http://www.vicomsoft.com/learning-center/firewalls
http://www.cipherdyne.com/LinuxFirewalls/ch03
When a packet enters a firewall it starts matching the packets information against its rules. The
packet filtering rules are based on:
Specific NIC
Host IP address
If the packet matches the criteria of the first rule, then the firewall performs the action described
by the target. If the packet does not match the criteria, then the engine goes to the next rule in the
chain and so on [6]. If firewalls do not process the rules fast enough, the whole system will slow
down. The packet filter does not examine the data section of a packet. The order in which the
rules are defined is important as a firewall process the rules from top to bottom. The list of rules
defining what can come in and what can go out are called chains [7]. Each chain has a default
6
policy. If the packet doesnt match any of the rules, then the default policy is applied. There are
two basic approaches to a firewall.
1) Deny everything by default and explicitly allow selected packets through.
2) Accept everything by default and explicitly deny selected packets through.
Moreover, a firewall mechanism gives the option of either rejecting or denying a packet. If the
reject option is selected then, it returns an error to the sender but if deny option is chosen then, the
packet is immediately discarded without notifying the source.
of Linux firewalls were studied including Iptables, IPCop, Shorewall, Monowall and Firehol.
Firewall selection seems to be a better choice from the performance perspective [13]. After going
through the literature, the following Linux firewalls are found suitable for performance
comparison and evaluation due to their high support, capabilities and documentation.
Iptables
Shorewall
Software based firewalls have their own specific features. The mentioned firewalls fulfill the
performance metrics defined for evaluation. Moreover, they use a similar filtering mechanism to
secure a network. Both firewalls were exposed to identical tests to find out the difference between
each firewall.
http://www.linuxjournal.com/article/6701
http://www.linuxsecurity.com/resource_files/firewalls/nsc/500619.html
10
3 Methodology
This chapter focuses on the evaluation methodology and designs as described in RFC 3511. In
addition to this, different testing tools are described to evaluate the firewalls.
3.1 Requirements
In order to perform the project, Linux operating systems should be installed on computers in
addition with the Internet connectivity. The whole project requires a minimum of two computers.
The reason for choosing the Linux operating system is that selected firewalls are the Linux
distributions and it becomes quite easy to install and setup the entire platform without considering
cost and copyright issues. Moreover, using an open source platform for evaluation will also make
any future work or improvement based on this exposition.
11
http://rfc-ref.org/RFC-TEXTS/3511/chapter4.html
12
during firewall testing. The test may consist of both types. The firewall handles the traffic from
multiple networks in real-time. However, the procedure is different when testing the firewall. The
related work found in the firewall performance testing was also related to unidirectional traffic.
This project also consists of unidirectional traffic.
List of Tools
Netperf (version: 2.6.0)
Usage
Throughput, Latency, Connection establishment rate,
Connection teardown rate
Monitoring
Monitoring
In addition to the mentioned testing tools, firewalls will also be tested by several system statistics
tools in Linux like top, iostat, ps, vmstat, lsof, mpstat, sar etc.
3.6.1 Netperf
Netperf is a network benchmarking tool which measures unidirectional or bi-directional bulk data
transfer and request/response performance of networks using TCP and UDP traffic [20]. It
provides test functionalities for throughput, end to end latency and works on a client/server
model, where the client is the data sender and server is the receiver. Netperf is compatible with
Linux and Windows systems. The main drawback of this tool is that it can only test against one
server at a time. The most basic test is the TCP_STREAM test which measures the throughput.
13
Request/Response is the other feature which measures the transaction rate and the time needed
for a transaction to be complete. Furthermore, the speed of a TCP connection establishment and
closure can be measured with Netperf. It is used in the project because it provides more accurate
results and wide range of test functionalities.
3.6.2 Iperf
Iperf is an open source tool for measuring the network performance based on a client/server
architecture [21]. It can be used for measuring bandwidth, jitter and lost datagrams. It can run on
multiple operating systems like Linux and windows. It creates TCP and UDP data streams which
exchange data between client and server. It is limited to handle one client/server at a time. This
tool is written in C++. It also allows the user to set various parameters that can be used according
to the needs of the test.
It can be associated with a graphical user interface called Jperf which provides graphs and logs
for the tests. This tool in used in calculating bandwidth and HTTP transfer rate to create real-time
traffic.
3.6.3 THTTPd
THTTPd is an open source web server from ACME Laboratories. It is a simple, small, fast, and
secure HTTP server. It suffices for most uses of the web. Its about as fast as the best fullfeatured servers and it has one extremely useful feature (URL-traffic-based throttling) that no
other server currently has9. It is designed for simplicity, small execution and speed.
For calculating the HTTP transfer rate, there must be an HTTP web server running on the firewall
which must reply upon receiving requests from the client side. This tool is used due to its
availability and processing speed.
3.6.4 HTTPing
HTTPing is a substitute of "ping" but for http-requests [22]. It is an open source Linux tool which
probes a given URL with GET requests and displays relevant statistics like the amount of time to
connect, send a request and receive a reply from the web server including the number of bytes
transferred etc. It is used in order to send the ping GET requests to HTTP server running on the
firewall.
http://acme.com/software/thttpd
14
3.6.5 Nmap
Nmap "Network Mapper" is an open source tool for network exploration and security auditing
[23]. It is used to discover hosts and services on a computer network, thus creating a map of the
network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then
analyzes the responses. It can determine the operating system of the target, names and versions of
the listening services, type of device and presence of a firewall. In this project it is used to
discover that an HTTP server is running on the computer where the firewall is located.
3.6.6 Webmin
Webmin is an open source web-based interface for system administration of Linux [24]. It is used
to configure operating system internals, such as users, disk quotas, services or configuration files,
as well as modify and control open source applications. It uses TCP port 10000 for
communicating and can be configured to use SSL. Webmin can be used for controlling many
machines through a single interface. It is built around modules, which have an interface to the
configuration files and the Webmin server. This makes it easy to add new functionality. Due to
the Webmin modular design, it is used in the project to configure files of both firewalls.
3.6.7 Wireshark
Wireshark is the world's foremost network packet analyzer used for network troubleshooting,
analysis, testing and debugging [25]. It provides deep inspection of protocols, live and offline
capture analysis, read/write many different captured file formats. It allows setting a network
interface in promiscuous-mode, which results in seeing all visible traffic on that interface. Packets
can be browsed through a GUI. While packets are captured, each packets source, destination
ports and addresses can be found from it. Moreover traffic can be stored for further offline
analysis. Wireshark in used in this project for monitoring and analyzing traffic generated by Iperf
and Netperf.
15
Several research papers also indicated the throughput, latency and connection establishment and
teardown rate as core metrics in the performance. The reason for selecting these metrics in the
project is explained below. Table 3.7.1 shows a brief description and importance of these metrics.
Metrics
Description
Throughput
Latency
Can be measured in milliseconds
at an offered load near the
firewalls limit
Importance
If basic throughput is not in
place, the firewall obviously
cannot handle the traffic
Basic throughput is a good
starting point to be sure that the
product is close to what is needed
Latency affects perceived
response time
Most firewalls have low latency
when lightly loaded, but latency
must be measured and reported
when the firewall is at its operating
load to understand whether
undesirable delay will occur
Every click on a web-based
application may cause
If this burst of connections
overwhelms the firewall, user
perception of application speed
will be adversely affected
Since every connection that is set
up must also be torn down, the
firewall has to keep up in both
directions
What is the impact of a firewall
on HTTP traffic
HTTP is the type of traffic a
firewall encounters the most
It is hard to measure the performance of a firewall without the mentioned evaluation metrics. This
project will cover all of the mentioned evaluation metrics to test the performance of both firewalls
in a Linux system. The evaluation scenarios are performed online as the selected tools generate
real-time traffic instead of playing back sets of data.
16
3.7.1 Throughput
Throughput is the amount of data transferred successfully over a link from one location to
another in a given period of time. It is usually expressed in bits per second (bits/s or bps).
During this metric test, both of the throughputs will be measured TCP and UDP. In order to do in
depth evaluation there are four scenarios involve in this metric test to perform on each firewall. In
the first scenario, packet sizes are increased to:
and
bytes,
according to RFC 2544. However the maximum size of a single data unit MTU is 1500 bytes
(Ethernet v2). It is the maximum size of an IP packet that can be transmitted in the network
without fragmentation and the largest allowed packet size by Ethernet at the network layer and
hence over the Internet10.
The time duration is set to 30 seconds for measuring the throughput as explained in the section
traffic duration. There are no firewall filtering rules involve in this scenario on each firewall. In
other words there will be no rules on firewalls. All kinds of traffic will be allowed which involves
sending the specified amount of data packets as stated above.
The whole task is done by the testing tool Netperf. It is a very powerful tool which measures the
throughput of a network by sending TCP and UDP stream from client to server. There are two
computers involved in this scenario, one act as a client and one will act as a server, including
Netperf installed on the both computers. The client sends the traffic while server listens to it. The
computer having Netperf server must be the one where the firewall is going to be tested whereas,
Netperf client can be any computer who will send the traffic to the server. Throughput will be
calculated and displayed by the Netperf automatically.
The second, third and fourth scenarios involve increasing the firewall filtering rules to 100, 500
and 1000 respectively; to see the impact on throughput. The involvement of filtering rules and
varying packet sizes will stress the firewall by means of assessing its behavior under the changing
load conditions to show the worst case scenario. Since, firewalls cannot detect duplicate rules. It
is one of the limitations of firewalls found during the literature review and verified during the
experiments. The incoming packets are forced to match to all of the rules before being allowed by
the firewall. In actuality, there are 100 rules written for each firewall which are repeated over and
over to stress it. The tests time duration is same for the rest of the scenarios.
10
http://www.linfo.org/mtu.html
17
The UDP throughput test is also performed in a similar way to TCP. Results of all the scenarios
will be collected to draw any conclusions about firewalls TCP and UDP throughput. The result of
this metric test will tell the ability of a firewall to support transactions that include the transfer of
large volumes of data, as well as supporting a large number of simultaneous transactions. It will
also give the overall picture of network load and hence firewall throughput performance in the
network.
Throughput is related to bandwidth. In general, both are usually measured in bits per second. The
purpose of stating the difference is to clarify both phenomena because, many people misjudge
both terms.
Table 3.7.2: Difference between bandwidth and throughput
Bandwidth
Throughput
3.7.2 Latency
Latency is a measure of time delay experienced in a system. The processing delay of a firewall
is the time when a packet enters the firewall and ends when this same packet leaves it. It is
measured in seconds.
There are several methods to calculate the latency. The most widely used method is by using
Netperf request/response. It is a synchronous, one transaction at a time test, where the transaction
is defined as the complete exchange of a request and a response. The results of this test return as
an average number of transactions which took place in a second. The TCP request/response
(TCP_RR) works as a standard TCP connection by establishing a connection, exchanging packets
and finally breaking the connection. On the other hand UDP request/response (UDP_RR)
assumes that packets reach the destination so, there is no mechanism to notify the source that the
packet has arrived. This metric test will also calculate both latencies TCP and UDP.
The way of calculating the latency is similar to throughput including involvement of two
computers, client server model and traffic generation from client to server. There are four
scenarios involved again in measuring the latency. The first scenario is conducted without any
18
filtering rules, while others involve changing the filtering rules to 100, 500 and 1000 respectively.
In this experiment different request/response sizes in bytes will be sent. There is an option to
control the size of a request and a response. Latency test is performed by changing the standard
values of request/response to
bytes. Netperf will display the transaction rate per second which is known as
latency. Time duration of the test is set to 30 seconds as mentioned in the traffic duration. The
UDP latency test will be calculated using the same way as TCP is calculated.
The outcome of this metric test will display the total delay between the end points, or latency as
well as the small-scale variation of this latency. Given that if one knew the latency, available
bandwidth and transaction rates as a profile of network performance between two network end
points then, it is possible to make a reasonable prediction relating to the performance of a firewall
in a network. The results of all the scenarios of each firewall will be compared in order to come
to any conclusion.
3.7.3 Connection Establishment rate
It is the length of time needed for data exchange between two hosts to agree to set up connection
using three-way handshake to establish a TCP/IP Session. The measurement unit is seconds.
The above definition is only valid for connection oriented protocols like TCP, for connectionless
protocols like UDP it is meaningless. The connection establishment rate will also be performed
with the help of Netperf. This time Netperf TCP connect/request/response (TCP_CRR) feature
will be used for calculating the connection establishment rate. The TCP_CRR is the combination
of both TCP_RR and TCP_CC. It measures the performance of establishing a connection,
exchanging a single request/response transaction, and tearing-down that connection.
Request/response values are important by means of the speed of transmission.
The test scenarios will be repeated in this experiment by changing the filtering rules to 0, 100,
500 and 1000 respectively. The test will be performed by changing the standard values of
request/response to 1/1 and 32/1024 which is a typical request/response size.
This test will be conducted by changing the time duration to 60 seconds, as there is no time
duration recommended in RFC 3511. The conclusion made in metric test time is achieved by
doing different timing tests. There are two computers involved in performing this test, one act as
19
a client and one will act as a server. The computer having Netperf server must be the one where
the firewalls will conduct the TCP_CRR test. The results of this test will show the rate at which
each firewall setup a TCP connection by using three-way handshake. The outcome of both
firewalls will be judged in order to come to any conclusion.
3.7.4 Connection Teardown Rate
Connection teardown rate is the speed at which firewalls can tear down the connection and free
the resources to be used for other traffic. It is measured in seconds.
It applies to only connection-oriented protocol like TCP as, UDP is an unreliable and
connectionless protocol. The connection teardown rate is tested by Netperf TCP connect/close
(TCP_CC) feature. Connection teardown rate measures how fast the pair of systems can open and
close connections between one another in a synchronous (one at a time) manner.
Again, test scenarios will be repeated in the same way connection establishment rate is calculated
by changing the filtering rules from 0 to 1000. Standard values of request/response will also be
same in this situation to 1/1 and 32/1024 which represents a typical request/response size.
All the procedure will be same in calculating connection teardown rate as establishment rate is
calculated including time duration and setup. The results of this test will show the rate at which
each firewall teardown the connection and free the resources. The outcome of both firewalls will
be judged in order to come to any conclusion.
3.7.5 HTTP Transfer Rate
HTTP transfer rate is the speed at which HTTP requested objects traverse a firewall. It is
measured in seconds.
It probes a given URL to GET requests and displays relevant statistics like the time take to
complete the request and transferred speed etc. This task involves the use of tool HTTPing which
is like "ping" but for http-requests. HTTP requests will be sent at a constant rate through the
firewall. It is the type of traffic a firewall encounters the most and hence considered in the
project.
In order to calculate the HTTP transfer rate there must an HTTP web server running on the
firewall which should reply upon receiving the requests from the client. For this purpose THTTPd
is used. It will run on the computer having a firewall on port 80 because, HTTP uses port 80. To
20
make sure that the HTTP web server is configured correctly and running on the firewall, Nmap
will be used, which will display the number of open ports.
HTTPing will be installed on one computer and it will send the GET requests to an HTTP web
server running with firewall. At the same time Iperf will generate the traffic with constant packet
size of 512 bytes to stress the firewall. The HTTP transfer rate will be measured while increasing
the number of filtering rules to 0, 500 and 1000 on the firewall to see the impact on the HTTP
transfer rate. The time duration is kept to 60 seconds, as there is no recommendation in RFC 3511
for this type of test. Different options of HTTPing will be used which will display different
statistics of HTTP transfer rate like round-trip time and transfer speed. The results of each
firewall will be criticized to see which firewall takes less time to give response to HTTP requests.
3.7.6 System Resource Consumption
Since the aim of this project is to evaluate the performance of firewalls. All the core evaluation
metrics are taken into account. Far beyond evaluation, it would be interesting to see the individual
and collective CPU statistics, overall I/O activities of the system and memory usage. For this
purpose Linux (sar) utility is used. This utility can do two things.
1. Monitor the real time CPU and memory usage over a specified time.
2. Collect performance data in the background on an on-going basis and do analysis on the
historical data to identify bottlenecks.
The specifications of computer including processor type, RAM capacity and memory also play a
vital role in system resource consumption. Moreover the version of system software like Linux
kernel should also be kept in mind while doing the process.
System resource consumption will be conducted on both firewalls by changing the filtering rules
to 0, 500 and 1000 with a constant packet size of 1024 bytes from Iperf. The time duration is set
to 30 seconds for each firewall. Results of both firewalls will be recorded and compared with
each other to conclude the fact that which firewall consumes more system resources.
21
4 Experiment
All the tools and evaluation methods have been discussed in detail to measure the performance of
firewalls for making comparisons. This chapter will cover the implementation of all the designed
scenarios including configurations to get the results and to come to a conclusion.
In order to do the configuration of firewalls, setup guides and tutorials were consulted. The
firewalls are configured according to the documentation available for them. Manuals of all the
tools were studied to consider the option suitable for performance evaluation.
Model
CPU
RAM
HDD
NIC
Operating System
Iptables version
Computer Specifications
Dell Optiplex 745
Intel Core 2 Duo 6600 @ 2.40GHz
2.00 GB
80GB 7200RPM
Gigabit Ethernet LAN 10/100/1000
KUbuntu 10.04.4 LTS
1.4.4
22
firewall is present on the system, the following commands are used; where -L displays the rules
of the firewall and -V shows the current version.
sudo apt-get install iptables
iptables L
iptables V
4.2.2 Shorewall
Shorewall is not installed on Linux systems by default. The user has to download and install it
manually from the shorewall.net website. On Ubuntu it can be installed by the command listed
below and can be verified by the status and version commands.
sudo apt-get install shorewall
shorewall status
shorewall version
In the above script command -F flushes the table of all contents and -P sets the policy of input,
output and forward chains to accept. An Iptables firewall script can be found in the Appendix B.
23
4.3.2 Shorewall
The configuration of shorewall is not simple as Iptables because, Shorewall has different
configuration settings including zones, interface, policies and rules11. All the configuration files
are located in the directory root/etc/shorewall. Firewall zone will be set at first. The zone is what
the firewall will refer to when determining where requests are coming from and what to do with
them depending on where they are going. Zones can be set by modifying the file zones which is
located in root/etc/shorewall/zones. Figure 4.3.2 shows the Shorewall zone settings.
#ZONE
TYPE
OPTIONS
IN OPTIONS
OUT OPTIONS
#
fw
firewall
net
ipv4
loc
ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Next step is to add the computers physical interface with those zones so, public interface will
reflect the net zone and lo interface corresponds to the loc zone, the system itself. This is done via
root/etc/shorewall/interfaces. Linux command (ifconfig) was used to make sure that eth1 is the
computers physical interface. The interface is set according to the computer system as shown in
figure 4.3.3.
#ZONE
INTERFACE
BROADCAST
OPTIONS
neteth1
detect
loc
lodetect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
The Shorewall policy file will define what the default rules of the firewall are, i.e. what the
firewall will do with a request if there's no specific rule covering that request. In order to set the
policies, the policy file should be adjusted which is located in root/etc/shorewall/policy.
According to the test scenarios policy file is set as shown below:
#SOURCE
DEST
POLICY
LOG LEVEL
LIMIT:BURST CONNLIMIT:MASK
#
Fw
net
ACCEPT
Fw
loc
ACCEPT
Net
fw
ACCEPT
Loc
fw
ACCEPT
net
all
DROP
info
# THE FOLLOWING POLICY MUST BE LAST
all
all
REJECT
info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
11
http://articles.slicehost.com/2009/7/22/rhel-shorewall-configuration
24
The last step in the configuration of Shorewall is to set up the rules. The rules tell the firewall
what to do with a specific request based on source and destination address. The rule file is also
located in /etc/shorewall/rules. Below is an example of rules which allow all the traffic.
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
#
PORT
PORT(S)
DEST
USER/ MARK
LIMIT
GROUP
ACCEPT net
fw
all
ACCEPT fw
net all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
As described earlier about the web-based system configuration software Webmin, it is much
easier to set up all the configuration files with it. After configuration of all the files, firewall is
ready to use. The above mentioned rules are allowing everything through which will be used as
zero firewall rules. The Shorewall rules configuration script is located in Appendix C.
32768
64
30.00
605.06
In Netperf client -l option is used to specify the test time duration which is kept to 30 seconds; -t
states that it will be TCP traffic, -H gives an option to specify the server IP address, -s waits
25
seconds between test setup and test start, which is displayed in sending socket size bytes; -S set
SO_KEEPALIVE on the data connection, which can be seen in received socket size bytes; -m is
used to change the packet size in bytes. In the above test packet size is set to 64 bytes.
Server (IP: 194.47.155.157)
root@labcomputer:# netserver
Starting netserver with host 'IN(6)ADDR_ANY' port '12865' and family AF_UNSPEC
Client
root@labcomputer:# netperf -l 30 -t UDP_STREAM -H 194.47.155.157 -- -s 16384 -S 16K -m
512
MIGRATED UDP STREAM TEST from 0.0.0.0 () port 0 AF_INET to 194.47.155.157 () port 0
AF_INET
Socket Message Elapsed
Messages
Size
Size
Time
Okay Errors
Throughput
Bytes
bytes
secs
#
#
10^6bits/sec
32768
32768
512
30.00
30.00
3955459
2287221
540.05
312.28
In figure 4.4.2 the upper statistics are from the sending (Netperf) side. The lower figures are from
the receiving (Netserver) side. In this figure UDP throughput packet size is set to 512 bytes.
Graphical representation of the results is discussed in the next chapter.
4.4.2 Latency
Latency test was also performed with the help of Netperf. The request/response feature of Netperf
is already explained in detail for calculating the latency. The commands in testing the latency of
both firewalls are explained below. The UDP latency calculation is same as TCP except, to state
that it is a UDP_RR so that Netperf will generate UDP traffic.
Server (IP: 194.47.155.156)
root@labcomputer:# netserver
Starting netserver with host 'IN(6)ADDR_ANY' port '12865' and family AF_UNSPEC
Client
root@labcomputer:# netperf -H 194.47.155.156 -l 30 -t TCP_RR -- -r64,1024
MIGRATED TCP REQUEST/RESPONSE TEST from 0.0.0.0 () port 0 AF_INET to 194.47.155.156 ()
port 0 AF_INET : first burst 0
Local /Remote
Socket Size
Request Resp.
Elapsed Trans.
Send
Recv
Size
Size
Time
Rate
bytes Bytes bytes
bytes
secs.
per sec
16384
16384
87380
87380
64
1024
30.00
6650.46
Netperf -H command is used to specify the IP address of the server; -l gives information about the
test time duration; -t TCP_RR shows that Netperf is using a TCP request/response feature; -r
command is used to change the request/response size.
26
1024
30.00
7284.23
In UDP latency calculation -T option is used to make sure that Netperf and Netserver ran on a
given CPU and did not move around during the test. In the above figure request/response size is
kept to 32/1024 byes. The results of both firewalls TCP and UDP latency is discussed in the next
chapter in a graphical format with latency transaction rate per second evaluated along the y-axis
and number of filtering rules on the x-axis.
4.4.3 Connection Establishment Rate
The method to calculate the connection establishment rate via Netperf TCP_CRR feature has
already explained. The command shown below states that server must be running on one of the
firewall from Netperf netserver command. On the client side -H is used to specify the IP address
of the server; -l shows the duration of the test which is kept to 60 seconds in this case; -t states
that it is a TCP connect/request/response feature; -r is used to change the size of request and
response which is kept to 32,1024.
Server (IP: 194.47.155.157)
root@labcomputer:# netserver
Starting netserver with host 'IN(6)ADDR_ANY' port '12865' and family AF_UNSPEC
Client
root@labcomputer:# netperf -H 194.47.155.157 -l 60 -t TCP_CRR -- -r32,1024
MIGRATED TCP Connect/Request/Response TEST from 0.0.0.0 () port 0
194.47.155.157 () port 0 AF_INET
Local /Remote
Socket Size
Request Resp.
Elapsed Trans.
Send
Recv
Size
Size
Time
Rate
bytes Bytes bytes
bytes
secs.
per sec
16384
16384
87380
87380
32
1024
60.00
AF_INET
to
3180.55
27
87380
87380
32
1024
60.00
4273.89
To make sure that HTTP server running on the firewall, it is verified by Nmap. The commands
are shown in the figure 4.4.8.
28
Client (Nmap)
root@labcomputer:# nmap 194.47.155.157
Starting Nmap 5.00 ( http://nmap.org ) at 2012-09-27 09:04 CEST
Interesting ports on compc-2412-08.comlab.bth.se (194.47.155.157):
Not shown: 997 closed ports
PORT
STATE SERVICE
22/tcpopen ssh
80/tcpopen http
10000/tcpopen snet-sensor-mgmt
MAC Address: 00:19:B9:20:C6:C2 (Dell)
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
After the verification of HTTP web server on port 80, HTTPing is used to send the ping to the
firewall; -G option is used to send the GET request; -b will show the transfer speed in KB/s; -g is
used to specify the URL, it can be an IP address; -c counts the number of requests, in other words
it allows how many times to connect.
Client (HTTPing)
root@labcomputer:# httping -G -b -g http://194.47.155.157 -c 60
PING 194.47.155.157:80 (http://194.47.155.157):
connected to 194.47.155.157:80, seq=0 time=1.29 ms 206554KB/s
connected to 194.47.155.157:80, seq=1 time=1.21 ms 157269KB/s
Continued...
connected to 194.47.155.157:80, seq=58 time=1.15 ms 317647KB/s
connected to 194.47.155.157:80, seq=59 time=1.50 ms 2219KB/s
--- http://194.47.155.157 ping statistics --60 connects, 60 ok, 0.00% failed
round-trip min/avg/max = 1.1/1.5/4.1 ms
Transfer speed: min/avg/max = 2219/224093/321235 KB
The outcome of this metric test is discussed in the next chapter in a graph where the y-axis will
represent the minimum transfer rate and the number of filtering rules will be along the x-axis.
Experimental results of all the metrics can be found numerically in Appendix A. The
experimental results are reported according to the format recommended by benchmarking
methodology for firewall performance in RFC 3511.
4.4.6 System Resource Consumption
In order to see which firewall consume more system resources, Linux (sar) utility is used to
display the average CPU and memory utilization during the traffic. Both firewalls are stressed by
a large number of rules to see their behavior and making a comparison between them.
The computer specifications are same where both firewalls are installed, including the computer
brands. The Figure 4.4.10 displays the method to calculate the CPU and memory utilization in a
29
given amount of time. The command shows the usage at every single second and displays the
average usage after the mentioned time ends.
In the figure option -u displays all CPU utilization statistics during the time which is kept to 30
seconds; -r shows memory utilization statistics. The readings of both firewalls are saved on both
computers in a text file. The results are criticized later on to see which of the firewall consumes
more resources.
Linux [sar] command
root@labcomputer:# sar u 1 30 >> /home/student/Documents/sar_cpu_shorewall_1000
root@labcomputer:# sar r 1 30 >> /home/student/Documents/sar_mem_shorewall_1000
30
5 Results
This chapter provides the comparative results of each firewall. All the metrics result is explained
in their sections.
5.1 Throughput
In any network, the maximum throughput is equal to the data rate supported by NIC, which
defines the theoretical baseline as 1000 Mbps. But in practice, these theoretical numbers are not
achievable because of various factors in the network conditions. The results of both firewalls
show that smaller packet sizes have lower throughput than larger ones. Moreover increasing
filtering rules does not affect the smaller packet size at all. Figure 5.1.1 shows the TCP
throughput of Iptables firewall.
800
Throughput (Mbits/s)
700
600
500
0 Rules
400
100 Rules
300
500 Rules
200
1000 Rules
100
0
32
64
128
256
512
1024
1500
UDP is a protocol that defines how to form messages that are sent over an IP. A device that sends
UDP packets assumes that they reach the destination. There is no mechanism to tell the sender
that the packet has arrived. It is usually used for streaming media applications where an
occasional packet loss does not matter.
31
The results of Iptables firewall show that UDP traffic is not affected by the number of rules on
the firewall. Smaller packet sizes have lower throughput levels and larger gives higher
throughput. However, at 1 kilobytes of packet size it gave maximum throughput which can be
seen from the figure below. At 1.5 kilobytes of packet this level has decreased. A
UDP_STREAM test has no end-to-end flow control. The biggest of these implications is the data
which is sent might not be received by the receiver. On some platforms it may be possible for the
sending throughput to be reported as a value greater than the maximum rate of the link. It is
common when the CPU is faster than network and there is no flow control.
800
Throughput (Mbits/s)
700
600
500
0 Rules
400
100 Rules
300
500 Rules
200
1000 Rules
100
0
32
64
128
256
512
1024
1500
The increasing number of filtering rules on firewalls is important to determine their impact on
performance. The firewall is forced to check each packet against its rules; this also reflects the
working of firewall during peak hours when there is a lot of load on firewalls to handle. It can be
seen clearly from the results of TCP and UDP throughput that TCP transfers more data as
compared to UDP. In general, UDP is faster than TCP, and the reason is because its non-existent
acknowledge packet (ACK) that permits a continuous packet stream. TCP acknowledges a set of
packets, calculated by using the TCP window size and round-trip time (RTT).
In this experiment, TCP and UDP window sizes were the same which can be clearly seen from
the implementation. Moreover, the TCP and UDP window size was also same during the transfer
32
of different packet sizes. The reason behind more TCP throughput is that TCP buffers the data
and fills a network segment thus, making more efficient use of the available bandwidth. UDP on
the other hand puts the packet on the network immediately thus congesting the network with lots
of small packets.
800
700
Throughput (Mbits/s)
600
500
0 Rules
400
100 Rules
500 Rules
300
1000 Rules
200
100
0
32
64
128
256
512
1024
1500
Figure 5.1.3 shows the Shorewall TCP throughput. The shorewall TCP throughput performance
does not degrade in contrast with Iptables even though it was a similar test for both firewalls. The
big difference in both firewalls throughput results is surprising. At 32 bytes of packet size both
firewalls give almost equal results. But, the situation changes when the packet size was 64 bytes
and there 1000 filtering rules.
After comparing both firewall results, it can be seen that Iptables degrade their performance when
the number of filtering rules were increased, whereas Shorewall performance does not affect so
much by number of filtering rules. The Shorewall UDP throughput result is similar to Iptables
UDP throughput which clearly indicates that UDP does not affected by the number of rules or
firewall type.
33
800
Throughput (Mbits/s)
700
600
500
0 Rules
400
100 Rules
300
500 Rules
200
1000 Rules
100
0
32
64
128
256
512
1024
1500
5.2 Latency
Latency of firewalls was measured from the Netperf request/response feature. During the test
request response values were changed while incrementing the filtering rules. The bigger the
request/response size, the lower the transaction rate becomes in firewalls.
12000
10000
Trans. Rate per second
Req=1, Res=1
Req=16, Res=32
8000
Req=32, Res=64
Req=64, Res=128
6000
Req=64, Res=256
4000
Req=64, Res=512
Req=32, Res=1024
2000
Req=64, Res=1024
Req=512, Res=1024
0
0
100
500
1000
34
The results show that if the number of filtering rules are incremented on firewalls; there is a slight
decrease on the transaction rate, which proves that the performance degraded as the rules are
increased.
Since the sender of UDP packets does not require any knowledge that the destination has received
the packets, UDP is relatively immune to latency. The only effect that latency has on a UDP
stream is an increased delay of the entire stream. The filtering rules on firewall also affected the
performance in UDP latency whereas, in UDP throughput filtering rules does not affect the
performance of firewall at all. It is important to note that latency and throughput are completely
independent with UDP traffic. In other words, if latency goes up or down, UDP throughput
remains the same. This concept has more meaning on the effects of latency on TCP traffic.
12000
10000
Trans. Rate per second
Req=1, Res=1
Req=16, Res=32
8000
Req=32, Res=64
Req=64, Res=128
6000
Req=64, Res=256
4000
Req=64, Res=512
Req=32, Res=1024
2000
Req=64, Res=1024
Req=512, Res=1024
0
0
100
500
1000
Shorewall TCP latency shows that it does not delay the traffic in contrast with Iptables which can
be concluded after looking at both results. The transaction rate of Shorewall is more than Iptables
which indicate that it is more efficient than Iptables. Figure 5.2.3 shows the Shorewall TCP
latency. The smaller request/response sizes are not affected by the number of filtering rules on the
Shorewall which can be seen from the figure. Whereas, this was not the case in Iptables. The
conclusion is made after analyzing the outcome.
35
12000
10000
Req=1, Res=1
8000
Req=16, Res=32
Req=32, Res=64
Req=64, Res=128
6000
Req=64, Res=256
Req=64, Res=512
4000
Req=32, Res=1024
Req=64, Res=1024
2000
Req=512, Res=1024
0
0
100
500
1000
There are no effects of latency on the sending device with UDP traffic. Shorewall performed
better in UDP traffic as well as in TCP. The conclusion is drawn after analyzing both results.
Shorewall handles the traffic well when there were a large number of filtering rules.
12000
10000
Trans. Rate per second
Req=1, Res=1
Req=16, Res=32
8000
Req=32, Res=64
Req=64, Res=128
6000
Req=64, Res=256
4000
Req=64, Res=512
Req=32, Res=1024
2000
Req=64, Res=1024
Req=512, Res=1024
0
0
100
500
1000
36
3500
3000
2500
2000
1500
1000
500
0
0
100
500
4400
4300
4200
4100
4000
3900
3800
3700
3600
3500
3400
1000
100
500
1000
Req=1, Res= 1
Request/response values are important by means of the speed of transmission, where the bigger
values produced lower transactions per second and the smaller values keep the transmission time
short. In this test, a typical request/response size of
and
4300
Trans. Rate per second
3400
3300
3200
3100
3000
2900
2800
2700
4250
4200
4150
4100
4050
4000
100
500
1000
100
500
1000
37
The results show that when there is an increase in the number of filtering rules on both firewalls
transaction rate decrease, which conclude that filtering rules affect the firewall's performance as it
have to check every packet coming from outside against rules that are stored in its configuration
to make any decision. In addition to this, there is a remarkable change in the performance of both
firewalls when there are 1000 filtering rules in connection teardown rate. Transaction rate
decreases to almost half as compared to the time when there were no filtering rules which can be
seen clearly from the graphs of both firewalls.
The results highlight that Shorewall performs better than Iptables to establish and teardown a
TCP connection.
140
120
100
80
HTTP Requests
60
40
20
0
0
500
1000
Filtering rules also affect the HTTP transfer rate of Shorewall but not as compared to Iptables
which suddenly gives the poor performance at 500 rules. Once again the results proved that
Shorewall performed better in this case, by not degrading the performance sharply. The results
can be seen from the figure 5.4.2.
38
60
50
40
30
HTTP Requests
20
10
0
0
500
1000
70
60
50
CPU
40
Memory
30
20
10
0
0
500
1000
39
100
90
80
Usage in (%)
70
60
50
CPU
40
Memory
30
20
10
0
0
500
1000
There is a little change in CPU usage when the rules were 1000 on both firewalls but at 500 rules
there is a minor change in the results. As it is mentioned in design and method section that system
specifications also matter in this case. Since the system specifications on both firewalls were
same. Therefore, the conclusion is that both firewalls shares almost equal amounts of system
resources, but Shorewall consumes a little more CPU than Iptables and provides higher
performance.
5.6 Analysis
The results of both firewalls showed that Shorewall gives higher performance than Iptables when
the numbers of filtering rules are increased. Both firewalls were exposed to identical tests, in
addition with system specifications, a number of rules, design and methods. However, Shorewall
configuration was different from Iptables. As far as the performance is concerned, Shorewall high
output results lie in its configuration and working.
Shorewall is flexible and divides the incoming packets into different categories. It allows the user
to set the interface which is on that machine, the policies which will be applied to the interfaces
and exception to the policy in the form of rules when a request is sent to the interfaces.
Shorewall can be used on a dedicated firewall system and on a standalone GNU/Linux system.
Shorewall does not use Netfilters IP chain compatibility mode and thus take the advantage of
Netfilters connection state tracking capabilities which then results in higher performance in the
network.
40
6 Conclusion
The results show differences between each firewall evaluated according to the metrics defined,
using different methods and tools. Even though the system specifications and configurations were
same for both firewalls however, the way to configure each firewall was different. The results
found during evaluation prove that the chosen evaluation methodology is correct and confirm that
the tools were used properly in the experiments. The results indicate that Shorewall performed
better than Iptables for almost all parameters.
Throughput, latency, connection establishment and teardown rate indicated that number of
filtering rules have a negative impact on the performance of Iptables firewall in contrast with
Shorewall. Since both firewalls cannot detect duplicate rules. Firewalls process the rules from top
to bottom. The order of rules in which they are written is also important. Both firewalls indicate
that small packet sizes do not affect the performance of a firewall. Shorewall performed well
under the stress, which rejects the hypotheses that there is no difference between each and
Iptables give better performance than Shorewall.
The UDP traffic is not affected by the number of filtering rules in throughput calculation.
Moreover, there are no effects of latency on the sending device with UDP traffic. The receiving
device may have to buffer the UDP packets longer with a high amount of jitter.
Some of the limitations of Linux firewalls are also found such as they dont provide redundancy.
This is usually not a huge issue since the both firewalls are low cost and are perfect for small
business. Large enterprises usually use a combination of high-end firewalls and servers to provide
layered security for servers. Therefore, in order to gain the maximum performance from the
firewall, all the network architectures should be considered.
Such performance measurements may help in predicting that how long it will take to send a file
from one network to another including the ratio of discarded packets with the total number of
packets sent or loss rate. If the latency, available bandwidth, HTTP transfer rate, connection
establishment and teardown rate as a profile of firewall performance is known, then it is possible
to improve the performance of a network.
41
42
7 Bibliography
[1] W. Stallings, "Intruders," in Network Security Essentials, Applications and standards,
Pearson, 2011, p. 319.
[2] D. N. S. T. T. M. B. Hickman, "Benchmarking Methodology for Firewall Performance,"
RFC3511, p. 34, 04 2003.
[3] W. Stallings, "Firewalls," in Network Security Essentials, Pearson International Edition,
2010, pp. 22-3.
[4] P. Simoneau, "The OSI Model: Understanding the Seven Layers of Computer Networks,"
Global Knowledge Training LLC, 2006.
[5] G. Yang, "Introduction to TCP/IP Network," Iowa State University, Iowa, 1997.
[6] P. P. Tihomir Katic, "Optimization of Firewall Rules," in Information technology Interfaces,
University of Zagreb, Zagreb, 2007.
[7] D. Huang, "A quick iptables Tutorial," Arizona State University, Tempe, 2009.
[8] P. H. Karen Scarfone, "Guidelines on Firewalls and Firewall Policy," Packet Filtering
Firewall, vol. 1.0, no. National Institute of Standards and Technology, p. 48, 2009.
[9] D. Krishnan, "Firewall Design Principles," Stephen Woodall, 2004.
[10] I. D. V.S. Bagad, "Applicatin level gateways," in Cryptography and Network Security,
Technical Publications, 2008, pp. 5-19.
[11] D. W. Chadwick, "Network Firewall Technologies," University of Salford, Salford.
[12] S. C. C. Rita J. Cressy, "Iptables," LeRoy D. Cressy, 2004.
[13] derkeiler, "Considerations In Developing Firewall Selection Criteria," Adeptech System,
2009.
[14] E. J. W. S. Sharon D. Nelson, "Disgruntled Employees in your Law firm," Sensei
Enterprises, 2005.
[15] C. Roeckl, "An overview of firewall technology and how juniper Networks implements it,"
Juniper Networks, Sunnyvale, California, 2004.
[16] C. Berthelot, "Evaluation of a virtual firewall in a cloud environment," School of computing,
43
Edinburgh, 2011.
[17] V. Y. P. B. Joel Sommers, "Toward Comprehensive Traffic Generation for Online IDS
Evaluation," University of Wisconsin-Madison.
[18] H. Haas, "Network Address Translation," NAT, vol. 1.0, no. Cisco Systems Inc., p. 43, 2005.
[19] J. M. S. Bradner, "Benchmarking methodology for network Interconnect devices," Packet
sizes, vol. 1.0, no. march 1999, pp. 1-28, 1999.
[20] S. J. Shah, "Netperf: Network Benchmarking," California State University San Luis Obispo,
California, 1997.
[21] L. C. T. D. Ajay Tirumala, "Measuring end-to-end bandwidth with Iperf," Stanford
University.
[22] C. Khnast, "HTTPing web check," Linux-magazine, 2006.
[23] M. Wolfgang, "Host Discovery with nmap," Exploring nmap's default behavior, vol. 1.0, p.
16, 2002.
[24] J. Cooper, "The Book of Webmin," How I Learned to Stop Worrying and Love UNIX, vol.
4.0, p. 315, 2003.
[25] R. S. E. W. Ulf Lamping, "Wireshark User's Guide," Ulf Lamping, 2012.
[26] J. Snyder, "Firewalls in the Data Center: Main Strategies and Metrics," Firewall
performance evaluation metrics, table 2, vol. 1, p. 6, 2003.
[27] T. Aduolf, "systems, Department of technology enhanced learning information," protecting
networks, vol. 1, no. University of North Carolina, p. 16, 2010.
44
30 sec
Iptables
Packet Size
(bytes)
0 FW
rules
100 FW
rules
Throughput
(Mbits/sec)
500 FW
rules
1000 FW
rules
32
64
128
256
512
1024
1500
326.14
632.70
664.68
702.92
698.77
704.58
705.04
325.47
609.09
658.56
685.80
684.02
688.66
691.01
324.15
528.91
570.98
558.37
555.45
566.63
568.48
323.48
424.85
418.22
417.33
423.73
432.33
431.04
30 sec
Shorewall
Packet Size
(bytes)
0 FW
rules
100 FW
rules
Throughput
(Mbits/sec)
500 FW
rules
1000 FW
rules
32
64
128
256
512
1024
1500
326.42
641.27
663.27
695.95
694.89
698.44
701.70
326.35
638.04
662.53
694.17
691.62
697.51
700.78
322.40
624.71
661.67
691.43
689.59
693.73
689.10
322.02
604.68
657.58
685.95
683.71
687.07
682.04
UDP Throughput
30 sec
Iptables
Packet Size
(bytes)
0 FW
rules
100 FW
rules
Throughput
(Mbits/sec)
500 FW
rules
1000 FW
rules
32
64
128
256
512
1024
1500
109.49
173.08
312.25
533.08
540.36
680.70
611.87
107.27
172.60
311.38
533.22
540.20
681.24
613.09
107.46
172.46
311.34
533.13
540.24
681.06
611.90
106.37
172.14
310.95
532.93
540.05
679.50
611.43
45
30 sec
Shorewall
Packet Size
(bytes)
0 FW
rules
100 FW
rules
Throughput
(Mbits/sec)
500 FW
rules
1000 FW
rules
32
64
128
256
512
1024
1500
107.80
172.99
311.13
533.16
540.12
680.88
613.14
107.42
172.99
312.34
533.55
540.01
681.24
610.93
106.22
172.83
311.08
533.21
540.37
680.58
610.47
104.18
171.81
312.62
532.95
539.89
681.85
610.83
TCP Latency(Request/Response)
30 sec
Iptables
Firewall rules
Req=1, Res =1 (bytes)
Req=16, Res =32 (bytes)
Req=32, Res =64 (bytes)
Req=64, Res =128 (bytes)
Req=64, Res =256 (bytes)
Req=64, Res =512 (bytes)
Req=32, Res =1024 (bytes)
Req=64, Res =1024 (bytes)
Req=512, Res =1024 (bytes)
100
500
1000
9708.29
9162.74
9062.12
8971.02
7575.06
7358.23
6698.80
6655.03
6055.11
9307.35
9009.69
8983.82
8845.16
7701.61
7312.30
6674.67
6610.01
6025.38
8646.57
8559.67
8522.42
8458.15
7487.20
7029.60
6432.11
6402.04
5633.75
8146.74
7994.10
7926.38
7779.76
7139.73
6714.92
6129.57
6075.07
5576.20
30 sec
Shorewall
Firewall rules
Req=1, Res =1 (bytes)
Req=16, Res =32 (bytes)
Req=32, Res =64 (bytes)
Req=64, Res =128 (bytes)
Req=64, Res =256 (bytes)
Req=64, Res =512 (bytes)
Req=32, Res =1024 (bytes)
Req=64, Res =1024 (bytes)
Req=512, Res =1024 (bytes)
100
500
1000
9813.36
9125.05
9055.34
8907.19
8525.38
7384.56
6739.04
6691.03
6123.40
9763.01
9109.72
9009.49
8872.62
8278.76
7380.00
6734.52
6686.77
6051.34
9660.33
9046.38
8999.44
8866.42
7831.76
7342.40
6695.80
6650.46
6019.22
9683.23
9018.02
8965.41
8837.09
7525.32
7313.96
6635.10
6633.20
6009.64
46
30 sec
Iptables
Firewall rules
Req=1, Res =1 (bytes)
Req=16, Res =32 (bytes)
Req=32, Res =64 (bytes)
Req=64, Res =128 (bytes)
Req=64, Res =256 (bytes)
Req=64, Res =512 (bytes)
Req=32, Res =1024 (bytes)
Req=64, Res =1024 (bytes)
Req=512, Res =1024 (bytes)
100
500
1000
10342.23
10327.03
10319.89
10250.27
10214.24
9637.95
7537.39
7431.31
6835.44
10334.66
10336.14
10330.82
10255.49
10128.24
9416.32
7439.50
7352.46
6750.33
10332.32
10325.03
10215.79
9628.55
9439.68
8090.96
7170.36
7089.10
6528.06
8809.41
8796.49
8704.88
8602.25
8320.52
7261.37
6547.00
6516.90
5832.14
30 sec
Shorewall
Firewall rules
Req=1, Res =1 (bytes)
Req=16, Res =32 (bytes)
Req=32, Res =64 (bytes)
Req=64, Res =128 (bytes)
Req=64, Res =256 (bytes)
Req=64, Res =512 (bytes)
Req=32, Res =1024 (bytes)
Req=64, Res =1024 (bytes)
Req=512, Res =1024 (bytes)
100
500
1000
10349.19
10330.29
10323.94
10234.12
9672.49
8938.79
7276.30
7197.13
6614.47
10332.65
10331.03
10327.16
10204.77
9668.24
8915.14
7265.50
7178.36
6607.53
10340.56
10325.86
10320.70
9975.33
9649.01
8657.42
7221.77
7137.80
6565.21
10332.86
10323.75
10312.90
10226.86
9665.87
9124.13
7284.23
7206.50
6629.10
60 sec
Iptables
Firewall rules
Trans.
Rate/ sec
100
500
1000
3512.92
3180.55
3423.64
3144.69
3220.63
2944.90
2989.28
2763.14
47
60 sec
Shorewall
Firewall rules
Trans.
Rate/ sec
100
500
1000
3419.07
3126.78
3409.00
3121.85
3345.96
3073.44
3251.52
2977.00
60 sec
Iptables
Firewall rules
Trans.
Rate/ sec
100
500
1000
4343.23
4343.34
4269.49
4270.63
3918.25
3922.44
3743.65
3762.96
100
500
1000
4274.43
4273.89
4255.20
4258.71
4180.26
4174.33
4101.76
4102.28
60 sec
Shorewall
Firewall rules
Trans.
Rate/ sec
65 sec
Packet Size
(bytes)
0 FW rules
HTTP Transfer
rate (Req: 60)
500 FW rules
1000 FW rules
Round-trip time
(ms)
Min
Avg
Max
Transfer Speed
(KB)
Min
Avg
Max
1.0
1.5
3.3
16784
209490
325243
1.1
1.5
3.4
1790
207492
323699
1.1
1.5
4.1
2219
224093
321235
48
Shorewall
512
65 sec
Packet Size
(bytes)
0 FW rules
HTTP Transfer
rate (Req: 60)
500 FW rules
1000 FW rules
Round-trip time
(ms)
Min
Avg
Max
Transfer Speed
(KB)
Min
Avg
Max
1.2
1.8
3.7
7580
20211
28342
1.3
1.9
3.8
6271
18611
39522
1.2
2.1
3.7
4710
19989
114682
30 sec
Packet Size
(bytes)
0 FW rules
500 FW rules
1000 FW rules
1024
CPU Usage(%)
Memory Usage(%)
71.52
57.49
76.72
58.93
89.68
59.94
Shorewall
30 sec
Packet Size
(bytes)
0 FW rules
500 FW rules
1000 FW rules
1024
CPU Usage(%)
Memory Usage(%)
81.76
42.71
87.04
51.50
90.17
52.34
49
INPUT
OUTPUT
FORWARD
INPUT ACCEPT
OUTPUT ACCEPT
FORWARD ACCEPT
INPUT -s 194.47.155.1 -j DROP
INPUT -d 192.168.14.1 -j DROP
INPUT -i eth1 -s 194.47.155.10
INPUT -i eth1 -s 194.47.155.11
INPUT -i eth1 -s 194.47.155.12
INPUT -i eth1 -s 194.47.155.13
INPUT -i eth1 -s 194.47.155.14
INPUT -i eth1 -s 194.47.155.15
INPUT -i eth1 -s 194.47.155.16
INPUT -i eth1 -s 194.47.155.17
-j
-j
-j
-j
-j
-j
-j
-j
DROP
REJECT
REJECT
REJECT
DROP
DROP
REJECT
DROP
USER/ MARK
LIMIT
GROUP
50